If you login into your JSF web application, then your URL displayed in your browser should not have a URI like this: www.myapplication.tld/site.xhtml;jsessionid=XXXX
1. Go to the folder WEB-INF.
If you use Netbeans, then you can find the folder in the tab projects.
2. Then edit the file web.xml
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
Now you have to recompile your application and then we are done.